I'll add to this bug instead of making a new one. /cgi-bin/cookies.cgi contains XSS (persistent via cookie) and Header injection vulnerabilities in vars repeatmerged, terse, reverse, trim, oldview XSS PoC: https://bugs.debian.org/cgi-bin/cookies.cgi?repeatmerged=%3Cscript%3Ealert('xss')%3B%3C/script%3E Header injection PoC: https://bugs.debian.org/cgi-bin/cookies.cgi?repeatmerged=%0aLocation%3A%20http%3A%2F%2Fgoogle.com%2F%0a -v